Merill’s blog
Use a custom app for Graph PowerShell delegate access
If you want to follow the least privilege model for the applications in your Azure AD tenant, you might be concerned about consenting to many permissions scopes to the Microsoft Graph PowerShell app over time.
To avoid this, you can register your own app for use with Microsoft Graph PowerShell. This allows you to have more granular control.
Here are the steps to go about setting it up.
- Browse to Entra > App registrations [adappreg.cmd.ms] > New Registration
- Name: Microsoft Graph PowerShell - High Privilege admin use only (<- Give a meaningful name)
- Account type: Accounts in this organization directory
- Redirect URI:
- Select Public client/native from the drop down
- Uri: http
://localhost
- Click Create
That’s it!
Now you can use this app instead of the default one by connecting with
Connect-MgGraph -ClientId <Your new app clientid> -TenantId <your tenant id>
Here are a few screenshots to help guide you.
Remember to use the ClientId and TenantId parameters when signing in.
Restricted user access
I would also recommend limiting the users that have access to these Graph PowerShell applications. To do this browse to the Enterprise Applications [adapps.cmd.ms](https://adapps.cmd.ms] blade, select the app and in Properties set Assignment required? to Yes. Then grant access to the required folks from the Users blade.
Windows PowerShell 5.1
The steps above will get you working with PowerShell 7, which is what you SHOULD be using. In the unfortunate event that you are stuck with Windows PowerShell 5.1 you need to do one more thing.
- Open the app you just created in App registrations [adappreg.cmd.ms]
- Select Authentication
- Check https://login.microsoftonline.com/common/oauth2/nativeclient
- Click Save
Share on
TwitterAzure AD and Microsoft Graph Extensions and Attributes
A comparison of the five different types of Microsoft Azure AD + Graph extensions and attributes.
| Extension Attributes 1-15 (aka onPremisesExtensionAttributes) | Directory extensions / Custom extension properties (aka AAD extensions) | Schema extensions | Open extensions | Custom security attributes | |
|---|---|---|---|---|---|
| Audience | IT Admins • Devs | IT Admins • Devs | Devs | Devs | IT Admins • Devs |
| Dynamic group membership rule | ✅ | ✅ | ❌ | ❌ | ❌ |
| Conditional Access - Users and groups | ✅ | ✅ | ❌ | ❌ | ❌ |
| Conditional Access - App Filter | ❌ | ❌ | ❌ | ❌ | ✅ |
| Conditional Access - Device Filter | ✅ | ❌ | ❌ | ❌ | ❌ |
| Admin user interface | ✅ | ❌ | ❌ | ❌ | ✅ |
| Cross-Tenant synchronization | ✅ | ✅ | ❌ | ❌ | ❌ |
| App user provisioning | ✅ | ✅ | ❌ | ❌ | ❌ |
| Entitlement Management automatic assignment | ✅ | ✅ | ❌ | ❌ | ❌ |
| Lifecycle Workflows execution conditions scope | ✅ | ✅ | ❌ | ❌ | ❌ |
| Filterable | ✅ | ✅ | ✅ | ❌ | ✅ |
| External identities - Self-service sign up flow | ✅ | ✅ | ❌ | ❌ | ❌ |
| Usable for customizing token claims | ✅ | ✅ | ❌ | ❌ | ❌ |
| Requires AAD P1/P2 license | ❌ | ❌ | ❌ | ❌ | ✅ |
| Azure ABAC | ❌ | ❌ | ❌ | ❌ | ✅ |
| Block read access | ❌ | ❌ | ❌ | ❌ | ✅ |
| Strongly typed | ❌ | ✅ | ✅ | ❌ | ✅ |
| Support multi-valued attributes | ✅ | ✅1 | ❌ | ❌ | ✅ |
| Azure AD Connect and Cloud Sync | ✅ | ✅ | ❌ | ❌ | ❌ |
| Supported resources | user • device | user • group • administrativeUnit • application • device • organization | user • group • administrativeUnit • application • contact • device • event • message • organization • post | user • group • contact • device • event • message • organization • post • todoTask • todoTaskList | user • servicePrincipal |
| Data types | String | Binary • Boolean • DateTime • Integer • LargeInteger • String (256 char) | Binary • Boolean • DateTime • Integer • String | String | Boolean • Integer • String |
| Max limits | 15 per object | 100 extensions across all types and all applications | 100 per resource | 2 per creator app per resource | 50 per object • 500 attributes per tenant • More info |
| When to use | • Simpler way to leverage on-prem data or Exchange data • Wanting a simple string attribute on a user/device which can be used in multiple applications as a claim |
• Extending AAD resources with more attributes • Need more strongly-typed attributes than extension attributes 1-15 • With AAD Connect Sync, can also sync on-prem or SharePoint data |
• To extend Graph resources • Don’t require attributes as part of user authentication and as a claim |
Directly add attributes to single Graph object, rather than through an extension schema | Store confidential data |
| Key notes | • Can only sync for users with onPremisesSyncEnabled • Cannot be updated by Microsoft Graph unless users/devices are cloud only (not synced from on-prem) |
• Extension is created on an app object, then target resource(s) are manually updated with value • AAD Connect Sync uses directory extensions |
Extension is created as stand-alone resource, then applied to object | Simple setup and usage | Built with security and least privilege |
1 Multi-value support in directory extensions is limited to attributes synchronized from on-prem. It is not possible to create new multi-valued directory extensions in Azure AD.
Share on
TwitterAzure AD Shortcuts
NOTE: Check out https://cmd.ms. The new and improved version of this.
I’m a command line guy and hate having to click to get to various Azure AD pages. Over time I created these shortcuts and thought you might find them helpful.
Here is how it works. Open a new tab and type aka.ms/ad/{command}
Where shortcut is one of the commands below.
| aka.ms | Command | Portal Blade |
|---|---|---|
| aka.ms/ad/ca | ca | Conditional Access |
| aka.ms/ad/pim | pim | Privileged Identity Management |
| aka.ms/ad/users | users | Users |
| aka.ms/ad/groups | groups | Groups |
| aka.ms/ad/devices | devices | Devices |
| aka.ms/ad/apps | apps | Enterprise Applications |
| aka.ms/ad/appreg | appreg | Application Registrations |
| aka.ms/ad/auth | auth | Authentication Methods Policies |
| aka.ms/ad/legacymfa | legacymfa | Legacy MFA |
| aka.ms/ad/guests | guests | Guest Access Settings |
| aka.ms/ad/logs | logs | Sign in Logs |
| aka.ms/ad/xtap | xtap | Cross Tenant Access Settings |
| aka.ms/ad/roles | roles | Azure AD Roles |
| aka.ms/ad/sspr | sspr | Password Reset |
| aka.ms/ad/security | security | Security |
| aka.ms/ad/mfaunblock | mfaunblock | MFA Unblock |
| aka.ms/ad/reviews | reviews | Access Reviews |
| aka.ms/ad/score | score | Secure Score |
| aka.ms/ad/license | license | Licenses |
| aka.ms/ad/synclog | synclog | AAD Connect Sync Errors |
| aka.ms/ad/adfslog | adfslog | ADFS Log |
| aka.ms/ad/consent | consent | Consents and Permissions |
| aka.ms/ad/support | support | Support |
| aka.ms/ad/list | list | List all these shortcuts |
If you liked those here are some of my favourite Identity related shortcuts.
| aka.ms | Page |
|---|---|
| aka.ms/azad | Azure AD Portal |
| aka.ms/sspr | Self Service Password Reset |
| aka.ms/mysecurity | My Security |
| aka.ms/myapps | My Apps |
| aka.ms/my-account | My Account |
| aka.ms/my-groups | My Groups |
| aka.ms/my-access | My Access Packages |
| aka.ms/mystaff | My Access Packages |
| aka.ms/mfasetup | Alternative for My Security |
| aka.ms/ge | Graph Explorer |
| aka.ms/ge | Intune |
Have I missed anything? Have new suggestions? Let me know at twitter.com/merill.
Share on
TwitterGraph PowerShell Conversion Analyzer
Hey folks, I took part in a hackathon last week and built the Graph PowerShell Conversion Analyzer. Hopefully, this will help a bit as you upgrade your AzureAD & MSOnline PowerShell scripts to Graph PowerShell.
It’s very rough right now but I would love to hear your feedback.
Try it out at https://graphpowershell.merill.net
You start by pasting in one of your old scripts that you want to upgrade to Graph PowerShell and clicking the Analyze button.
This will generate a report of all the Azure AD PowerShell and MSOnline commands that were found along with a mapping to its corresponding Graph PowerShell command. The sample generated will try to map the parameters to the new command.
This is where I still need to do a lot more work to make it really useful.
Where possible you also get direct links to both the Graph PowerShell command reference as well as the Graph API reference (which usually has more relevant info).
No more hunting around and searching the docs!
The last bit is where you the community can really help us and each other out. We’ve started an open repository of sample Graph PowerShell scripts at https://aka.ms/graphsamples
We would love to make this the largest collection of Graph PowerShell sample scripts. It’s open to everyone to contribute so please share your scripts (even one-liners).
Let me know what you think. If you have any ideas on how this can be improved I’m all ears!
Share on
TwitterGet-MgUser_List1: Expect simple name=value query, but observe property 'assignedLicenses' of complex type 'AssignedLicense'.
Are you seeing this message when trying to get user license information using the Graph API.
_Expect simple name=value query, but observe property ‘assignedLicenses’ of complex type ‘AssignedLicense’.
❯ Get-MgUser -Filter 'assignedLicenses/$count eq 0'
Get-MgUser_List1: Expect simple name=value query, but observe property 'assignedLicenses' of complex type 'AssignedLicense'.
The fix is quite simple. Set the ConsistencyLevel header to eventual and pass in a variable to store the count of the result set and you are good to go.
❯ Get-MgUser -Filter 'assignedLicenses/$count eq 0' -ConsistencyLevel eventual -CountVariable licensedUserCount -All
Id DisplayName Mail UserPrincipalName
-- ----------- ---- -----------------
1468b68b-8536-4bc5-ab1f-6014175b836d merill-fdo merill-fdo@yopmail.net merill-fdo_yopmail.net#E…
160f8064-a20c-4236-bdf4-3393003e916b Ezra Brand ezra@fdo.net ezra_fdo.net#EXT#@pora.n…
37e5a3d1-f92b-4a12-bb35-91bf80969810 Joshua Sal user2@fakedomain.com user2_fakedomain.com#EXT…
5c8537e4-7d7f-4920-a921-382d91fa53fd Fake Damain user@fakedomain.com user_fakedomain.com#EXT#…
640885de-9652-4fb2-8a87-963cc2f599a0 Chris Green chris.green@yopmail.net chris.green_yopmail.net#…